System and Method for Detection of a Malicious File

1. A method for detecting a malicious file, comprising: monitoring a file during execution of the file within a computer system; forming a feature vector based on behavioral data during the execution of the file, wherein features of the feature vector characterize the behavioral data; calculating parameters based on the feature vector using a trained model for calculation of parameters, wherein the parameters comprise: i) a degree of maliciousness that is a probability that the file may be malicious, and ii) a limit degree of safety that is a probability that the file will definitely prove to be safe, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law; and deciding that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety.

2. The method of claim 1 , wherein the model for calculation of parameters is trained by a method of machine learning performed on at least one safe file and one malicious file.

3. The method of claim 2 , wherein the method of machine learning is one of: gradient boosting on decision-making trees; decision-making trees; the method of k-nearest neighbors; or the method of support vectors.

4. The method of claim 1 , wherein the behavioral data comprises at least: the commands being executed by the file, the attributes being transmitted to those commands and the values being returned; data on the RAM areas being modified by the file being executed; or static parameters of the file.

5. The method of claim 1 , wherein calculating the limit degree of safety based on the degree of maliciousness, and wherein the limit degree of safety is calculated when the file is launched, on the basis of an analysis of static parameters of the file.

6. The method of claim 1 , wherein the trained model for calculation of parameters is a set of rules for computing the degree of maliciousness of the file and the limit degree of safety of the file, which depend on the behavioral data.

7. The method of claim 1 , wherein the time laws are monotonic in nature.

8. The method of claim 1 , wherein the correlation between the degree of maliciousness and the limit degree of safety is at least: the difference from a predetermined threshold value of the distance between the degree of maliciousness and the boundary conditions of maliciousness; the difference from a predetermined threshold value of the area bounded in a given time interval between the degree of maliciousness and the boundary conditions; or the difference from a predetermined value of the rate of mutual increase of the curve describing the degree of maliciousness and the boundary conditions of maliciousness as a function of time.

9. The method of claim 1 , wherein the model for calculation of parameters is additionally retrained based on an analysis of the calculated degree of maliciousness and limit degree of safety, as a result of which changes in the time laws describing the degree of maliciousness and the limit degree of safety mean that the correlation between the values obtained on the basis of those laws tend toward a maximum.

10. The method of claim 1 , wherein the model for calculation of parameters is retrained so that, when that model is used, the criterion formed afterwards will ensure at least: the accuracy of determining the degree of maliciousness and the limit degree of safety is greater than when using an untrained model for calculation of parameters; the utilization of the computing resources is lower than when using an untrained model for calculation of parameters.

11. A system for detecting a malicious file, comprising: a hardware processor configured to: monitor a file during execution of the file within a computer system; form a feature vector based on behavioral data during the execution of the file, wherein features of the feature vector characterize the behavioral data; calculate parameters based on the feature vector using a trained model for calculation of parameters, wherein the parameters comprise: i) a degree of maliciousness that is a probability that the file may be malicious, and ii) a limit degree of safety that is a probability that the file will definitely prove to be safe, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law; and decide that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety.

12. The system of claim 11 , wherein the model for calculation of parameters is trained by a method of machine learning performed on at least one safe file and one malicious file.

13. The system of claim 12 , wherein the method of machine learning is one of: gradient boosting on decision-making trees; decision-making trees; the method of k-nearest neighbors; or the method of support vectors.

14. The system of claim 11 , wherein the behavioral data comprises at least: the commands being executed by the file, the attributes being transmitted to those commands and the values being returned; data on the RAM areas being modified by the file being executed; or static parameters of the file.

15. The system of claim 11 , wherein calculating the limit degree of safety based on the degree of maliciousness, and wherein the limit degree of safety is calculated when the file is launched, on the basis of an analysis of static parameters of the file.

16. The system of claim 11 , wherein the trained model for calculation of parameters is a set of rules for computing the degree of maliciousness of the file and the limit degree of safety of the file, which depend on the behavioral data.

17. The system of claim 11 , wherein the correlation between the degree of maliciousness and the limit degree of safety is at least: the difference from a predetermined threshold value of the distance between the degree of maliciousness and the boundary conditions of maliciousness; the difference from a predetermined threshold value of the area bounded in a given time interval between the degree of maliciousness and the boundary conditions; or the difference from a predetermined value of the rate of mutual increase of the curve describing the degree of maliciousness and the boundary conditions of maliciousness as a function of time.

18. The system of claim 11 , wherein the model for calculation of parameters is additionally retrained based on an analysis of the calculated degree of maliciousness and limit degree of safety, as a result of which changes in the time laws describing the degree of maliciousness and the limit degree of safety mean that the correlation between the values obtained on the basis of those laws tend toward a maximum.

19. The system of claim 11 , wherein the model for calculation of parameters is retrained so that, when that model is used, the criterion formed afterwards will ensure at least: the accuracy of determining the degree of maliciousness and the limit degree of safety is greater than when using an untrained model for calculation of parameters; the utilization of the computing resources is lower than when using an untrained model for calculation of parameters.

20. A non-transitory computer-readable medium, storing instructions thereon for detecting a malicious file, the instructions comprising: monitoring a file during execution of the file within a computer system; forming a feature vector based on behavioral data during the execution of the file, wherein features of the feature vector characterize the behavioral data; calculating parameters based on the feature vector using a trained model for calculation of parameters, wherein the parameters comprise: i) a degree of maliciousness that is a probability that the file may be malicious, and ii) a limit degree of safety that is a probability that the file will definitely prove to be safe, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law; and deciding that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety.